Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

[Michael Richardson <mcr () sandelman ca>]

Guy Harris <guy () alum mit edu> wrote:
    > The second and third option require either the producer, or some
    > post-processor, to write a new version of the file putting the secrets
    > before the packets that require them.  The producer isn't necessarily
    > responsible for doing so; one might have tcpdump, or dumpcap (or some
    > program using dumpcap, such as TShark or Wireshark) write out a capture
    > with no secrets, and then have another program (a utility, or Wireshark
    > after having read in the file and then given the secret in question)
    > write out a new file with the secrets early enough in the file ("before
    > all the packet blocks" is probably the simplest implementation).

I'm in favour of this option, and providing a signal early in the file that
the indicates if that process has occured yet.

    > A producer that *does* happen to have the secret available before
    > seeing any packets that require the secret *could* write it directly.

Agreed.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe